The use of the Internet for services that replace or
supplement traditional telephony is, predictably, causing
discussions in many countries about the point at which
special rules about telephony services begin to apply to
Internet service providers. In many countries, these rules
could impose new legal obligations on ISPs, particularly
requirements to comply with requests from law enforcement
agencies or regulators to intercept, or gather and report other
information about, communications. For example many
traditional telephony devices, especially central-office
switches, sold in those countries are required to have built-in
wiretapping capabilities to allow telephone carriers to fulfill
these obligations.

A number of IETF working groups are currently working on
protocols to support telephony over IP networks. The wiretap
question has come up in one of these working groups, but
the IESG has concluded that the general questions should
be discussed, and conclusions reached, by the entire IETF,
not just one WG. The key questions are:

"should the IETF develop new protocols or modify existing
protocols to support mechanisms whose primary purpose is
to support wiretapping or other law enforcement activities"

and

"what should the IETF's position be on informational
documents that explain how to perform message or data-
stream interception without protocol modifications".

We would like to encourage discussion of these questions on
the new raven@ietf.org mailing list. Subscription requests
should be mailed to raven-request@ietf.org OR subscribe via
the web at http://www.ietf.org/mailman/listinfo/raven

Time will be allocated at the Plenary session at the
November IETF to discuss this orally and try to draw a
consensus together. (PLEASE DISCUSS THIS ON THE
NEW MAILING LIST AND NOT ON THE GENERAL IETF
LIST)

In addition to the general questions identified above, we
believe it would be helpful for mailing list comments to
address the following more specific questions:

Adding wiretap capability is by definition adding a security
hole. Considering the IETF's commitment to secure
protocols, is it a reasonable

thing to open such a hole to meet these requirements?

Should the IETF as an international standards organization
shape its protocols to support country-specific legal
requirements?

If the companies who employ the IETF participants and
deploy the IETF's technology feel that having wiretap
capability is a business necessity due to the regulatory
requirements in the countries where they want to sell their
products, would that make a difference to the IETF position
on this subject?

What is the appropriateness or feasibility of standardizing
mechanisms to conform to requirements that may change
several times over the life cycle of equipment built to conform
to those standards?

When IPv6 was under development, the IETF decided to
mandate an encryption capability for all devices that claim to
adhere to those standards. This was done in spite of the fact
that, at the time the decision was made, devices meeting the
IPv6 standard could not then be exported from the U.S. nor
could they be used in some countries. Is that a precedent for
what to do in this case?

Could the IETF just avoid specifying the part of the
technology that supports wiretapping, presumably assuming
that some industry consortium or other standards
organization would do so? Would letting that responsibility
fall to others weaken the IETF's control over its own
standards and traditional areas?

If these functions must be done, is it better for the IETF to do
them so that we can ensure they are done in the most
secure way and, where permitted by the regulations, to
ensure a reliable audit capability?

What would the image of the IETF be if we were to refuse to
standardize any technology that supported wiretapping? In
the Internet community? In the business community? To the
national regulatory authorities?

The goal of the mailing list and then plenary session is to
address the broad policy and direction issue and not specific
technical issues such as where exactly in an architecture it
would be best to implement wiretapping if one needed to do
so. Nor are they to address what specific functions might be
needed to implement wiretapping under which countries'
laws. The intent is basically to discuss the question of what
stance the IETF should take on the general issue.
-.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.-
relayed by
iesg-secretary@ietf.org via maurice@xs4all.nl via gilc-
plan@gilc.org